How to configure port security on Cisco switches

Overview

In some environments, a network must be secured by controlling what stations can gain access to the network itself. Port security is a feature used on Cisco Catalyst switches which limits the MAC addresses allowed to appear on a specific port. In most cases network administrators use this to secure access to the physical network.

Using this feature only predefined static MAC addresses or limited number of dynamic MAC addresses can access the network. Suppose a user tries to connect to a port which has port security enabled and his MAC address does not appear on the list of allowed MAC addresses. In this case the port will be shut down or the packets arriving on that port will be dropped with a specific action. To resolve this issue the port must be re-enabled manually by the network administrator or automatically after a period of time if the errdisable cause is configured for automatic recovery (by default after 300 seconds).

If you limit the number of secure MAC addresses to one and assign a single secure MAC address, the workstation attached to that port is assured the full bandwidth of the port. By default, port security is turned off on all interfaces.

Before we start configuring port-security we must meet the following conditions:

the port to be configured must be an static access port (not in dynamic desirable mode which is the default state on most Cisco switches)

the port must not have any static MAC address already configured

the port cannot be part of a Etherchannel port group

the port cannot be a destination port for Switch Port Analyzer (SPAN)

Configuring port security

In order to enable port security on a switch port we must enter in interface configuration mode using the following sequence of commands:

By entering the switchport port-security command we accepted the default settings of allowing only one MAC address, which is determined from the first device that communicates on this switch port. We can set the maximum number of addresses allowed to appear on the secure port using the following command:

SW01(config)#switchport port-security maximum

where max-addr is a number in the range 1 – 1024. Catalyst switches support three type of secure MAC addresses:

SW01(config)#switchport port-security mac-address

These MAC addresses are stored in the address table, and added to the switch running configuration. The MAC address is given in dotted-triplet format (xxxx.xxxx.xxxx). If the number of static addresses configured is less than the maximum number of addresses secured on a port, the remaining addresses are learned dynamically.

SW01(config)#switchport port-security mac-address sticky

This command converts all the dynamic secure MAC addresses, including those that were dynamically learned before sticky learning was enabled, to sticky secure MAC addresses.

Static secure MAC addresses – which are manually configured by using the following interface configuration command

Dynamic secure MAC addresses – which are dynamically configured, stored only in the address table, and removed when the switch restarts.

Sticky secure MAC addresses – which can be dynamically learned or manually configured, stored in the address table, and added to the running configuration. If these addresses are saved in the configuration file, when the switch restarts, the interface does not need to dynamically reconfigure them. To enable sticky learning, enter the following interface configuration command:

Port security violations

If an MAC address which is already configured on another interface in the same VLAN attempts to access the secure port or the maximum number of MAC addresses which are allowed on the secure port has been reached a security violation occurs. By default when such a condition is met the port is shut down and put in the errdisable state. This type o violation will display a message on the switch console similar to the below:

%PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/7, putting Fa0/7 in err-disable state
%PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 000f.fe21.cc41 on port FastEthernet0/7.
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/7, changed state to down
%LINK-3-UPDOWN: Interface FastEthernet0/7, changed state to down

Three types of violations can occur depending on the action to be taken:

Shutdown — the port immediately is put into the errdisable state, which effectively shuts it down and the port LED turns off. It must be reenabled manually or through errdisable recovery mechanism to be reused again.

Restrict —the port is allowed to stay up, but all packets from violating MAC addresses are dropped. The switch keeps a running count of the number of violating packets and can send an SNMP trap and a syslog message as an alert of the violation.

Protect — the port is allowed to stay up, as in the restrict mode. Although packets from violating addresses are dropped, no record of the violation is kept.

To configure how a interface should react if a violation occurs on a secure ports use the following interface configuration command:

In this example we observe that port-security is enabled for interface fastethernet 0/7 and the port has been shutdown. We also see that the port status is Secure-shutdown which means the port has been put in err-disable state. An administrator must re-enable the port manually by issuing the shutdown interface command followed by no shutdown. In the last two lines is displayed the offending MAC address and the count for security violation.

If we want to display the ports on which port security has been enabled use the show port-security command like in the following example:

This command it also displays count information and security actions to be taken per interface.

Configuring Port Security Aging

Port security can use a feature call aging in which an existing secure MAC address is deleted after a aging condition is met. Two types of aging are supported per port:

Absolute — the secure addresses on the port are deleted after the specified aging time.

Inactivity — the secure addresses on the port are deleted only if the secure addresses are inactive for the specified aging time.

The port security aging feature is disabled and the default time is 0 minutes. The maximum time allowed for aging is 1440 minutes. To enable secure address aging for a particular port, set the aging time to a value other than 0 for that port. To allow limited time access to particular secure addresses, set the aging type as absolute. When the aging time lapses, the secure addresses are deleted. To allow continuous access to a limited number of secure addresses, set the aging type as inactivity. This removes the secure address when it become inactive, and other addresses can become secure. To configure MAC aging on a interface we use the switchport port-security aging interface configuration command with the following syntax:

Note: Please be advised that port security aging of sticky secure MAC addresses is not supported.

Port security autorecovery

As I said earlier if a port enters in the ERRDISABLE state due to a secure violation it must be re-enabled manually by the network administrator. This task can become annoying if it happens very often. In order to avoid this situation we can enable the auto-recovery mechanism for a secure port in err-disabled state. For this use the following global configuration commands:

Here we enabled auto-recovery for all secure ports which are in err-disabled state and set the recovery interval to 30 minutes. The recovery interval is specified in seconds. After the 30 minutes period has elapsed, we observed that the port automatically has returned to its normal state, allowing traffic to pass. If the cause is not cleared, the violation will trigger again after the port comes back up, re-initating the auto-recovery cycle.

%PM-4-ERR_RECOVER: Attempting to recover from psecure-violation err-disable state on Fa0/7
%LINK-3-UPDOWN: Interface FastEthernet0/7, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/7, changed state to up

Clearing or disabling port-security

Sometimes we need to clear all the MAC addresses of a secure port in order to allow a new host to be connected. If order to do this we use the clear port-security privileged EXEC command. This command can be ran on a specific MAC address, on a specific interface or on all secure MAC addresses. For example to to remove all the dynamic secure addresses learned on a specific interface run this command:

SW01# clear port-security dynamic interface fastethernet0/7

If you need to disable completely port-security on a interface or o range of interfaces use the “no” form of the switchport port-security command:

This with disable all settings regarding port-security on the specified interface.

Conclusion

Overall port-security feature can ease the life of a network administrator by limiting not authorized persons access to a network. Port-security is not a 100% secure solution because MAC addresses can be spoofed. A more elegant solution would be to implement IEEE 802.1X standard.